Remember Stuxnet, anyone? It never became totally clear who was behind – speculations range from the CIA to Mossad to the flying spaghetti monster; at least two of these might be interested in Stuxnet's main target, Iranian nuclear facilities with neglected Windows installations. Now, parts of Stuxnet's code seem to have been recycled in a different type of malware, a trojan horse.
On October 14, 2011, a research lab with strong international connections has alerted the antivirus company Symantec to a sample that appeared to be very similar to Stuxnet. They named the threat "Duqu" [dyü-kyü] because it creates files with the file name prefix “~DQ”. The research lab provided samples recovered from computer systems located in Europe, as well as a detailed report with their initial findings, including analysis comparing the threat to Stuxnet. Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose.
Duqu shares a great deal of code with Stuxnet; however, the payload is completely different. Instead of a payload designed to sabotage an industrial control system, the payload has been replaced with general remote access capabilities. The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries. The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party.
According to Symantec, Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors or at least programmers that have access to the Stuxnet source code and appears to have been created since the last Stuxnet file was recovered. Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.
Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). Interestingly, the threat does not self-replicate. Symantec's telemetry indicates the threat was highly targeted toward a limited number of organizations for their specific assets. It may be possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.
Duqu uses HTTP and HTTPS to communicate with a command-and-control (C&C) server that is still operational. The attackers were able to download additional executables through the C&C server, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. The information is logged to a lightly encrypted and compressed local file, which then must be exfiltrated out.
The threat uses a custom C&C protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring dummy JPG files, additional data for exfiltration is encrypted and sent, and likewise received. Finally, the threat is configured to run for 36 days. After 36 days, the threat will automatically remove itself from the system.
Duqu shares a great deal of code with Stuxnet; however, the payload is completely different. Instead of a payload designed to sabotage an industrial control system, the payload has been replaced with general remote access capabilities. The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries. The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party.
According to Symantec, Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors or at least programmers that have access to the Stuxnet source code and appears to have been created since the last Stuxnet file was recovered. Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.
Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). Interestingly, the threat does not self-replicate. Symantec's telemetry indicates the threat was highly targeted toward a limited number of organizations for their specific assets. It may be possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.
Duqu uses HTTP and HTTPS to communicate with a command-and-control (C&C) server that is still operational. The attackers were able to download additional executables through the C&C server, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. The information is logged to a lightly encrypted and compressed local file, which then must be exfiltrated out.
The threat uses a custom C&C protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring dummy JPG files, additional data for exfiltration is encrypted and sent, and likewise received. Finally, the threat is configured to run for 36 days. After 36 days, the threat will automatically remove itself from the system.
The effects of Stuxnet, gathering information SCADA(supervisory control and Data Acquisition) but designed to target Siemens only, and now Stuxnet in the for of Duqu, as what you've said they are almost alike in programming but not on what they do, people should be aware of this malware and arm their computer with updated anti-virus to help secure their critical information.
Posted by: zarc@button spy cam | 10/26/2011 at 03:10 AM
i dont know what everyone is on about, the aictrle doesnt say anything about QR codes having ACTUALLY been exploited. sure there is motivation to put malware into QR codes, there is motivation to put malware into everything, the question isnt would people like to its can it be done QR codes have a very small window of text (about 4k at it highest with very little redundancy) 2k of binary and while you could make a program that reads them with nearly no checking or proper memory allocation that could be weak to exploit, it would also be a poor parser and not likely to be very widespread in its use.the uses of QR codes are very limited, the parsing very well defined, malware seems very unlikely.until new things are added to QR, from time to time new protocols are built on top of QR (like the market: tag for things on the android market) that is about the only place malware could get in, a poor protocol specification.
Posted by: Karen | 08/11/2012 at 05:08 AM